b"              Audit Report\n\n\n\n\n   Access Controls for the Social\nSecurity Number Verification Service\n\n\n\n\n        A-03-12-11204 | April 2013\n\x0cMEMORANDUM\n\n\nDate:      April 18, 2013                                                     Refer To:\n\nTo:        The Commissioner\nFrom:      Inspector General\nSubject:   Access Controls for the Social Security Number Verification Service (A-03-12-11204)\n\n           The attached final report presents the results of our audit. Our objective was to determine the\n           effectiveness of the Social Security Administration\xe2\x80\x99s (SSA) controls to detect whether\n           companies were improperly using SSA's employer verification programs for non-employment\n           purposes.\n\n           If you wish to discuss the final report, please call me or have your staff contact\n           Steven L. Schaeffer, Assistant Inspector General for Audit, at (410) 965-9700.\n\n\n\n\n                                                           Patrick P. O\xe2\x80\x99Carroll, Jr.\n\n           Attachment\n\x0cAccess Controls for the Social Security Number Verification\nService\nA-03-12-11204\nApril 2013                                                               Office of Audit Report Summary\n\nObjective                               Our Findings\n\nTo determine the effectiveness of the   The controls to detect whether employers were improperly using\nSocial Security Administration\xe2\x80\x99s        SSA\xe2\x80\x99s SSNVS program for non-employment purposes need to be\n(SSA) controls to detect whether        improved. The Failed MEF Check reports for Calendar Years 2009\ncompanies were improperly using         and 2010, which included about 26 million transactions, were\nSSA's employer verification programs    unreliable. The reports contained numerous false positive (meaning\nfor non-employment purposes.            an employer/employee relationship existed), non-SSNVS, and\n                                        duplicate transactions, which made it difficult for SSA staff to\nBackground                              identify instances where employers may have been verifying\n                                        individuals who were not employees.\nIn 2005, SSA implemented the Social\nSecurity Number Verification Service    The Same Name/Different SSN and Same SSN/Different Name\n(SSNVS) to assist employers with        Potential Fraud Identification reports effectively identified\naccurate wage reporting and increase    instances where registered companies may have been searching for\nthe ease and convenience of verifying   valid name/SSN combinations. Our review of the reports generated\nemployee names and Social Security      in Fiscal Year 2010, found that seven employers may have\nnumbers (SSN).                          inappropriately used SSNVS to search for valid name/SSN\n                                        combinations for non-employees. Although SSA staff agreed that\nSSA developed several fraud detection   four of the seven employers may have used SSNVS for\nreports to help detect whether          non-employment purposes, they were not consistent in contacting\nregistered companies were properly      these employers to inform them about the appropriate use of\nusing SSNVS. The SSNVS Failed           SSNVS.\nMaster Earnings File (MEF) check\nreport helps ensure there is an         Our Recommendations\nemployer/employee relationship\nbetween the user and individual         1. Determine whether to modify the existing Failed MEF Check\nverified. The Same Name/Different          report to ensure it is a reliable tool to detect whether registered\nSSN Potential Fraud Identification         companies are improperly using SSNVS for non-employment\nreport identifies users attempting to      purposes or develop a more useful fraud detection tool.\nverify more than 50 combinations of\nthe same name and different SSN for a   2. Conduct outreach with registered companies regarding using the\nsingle Employer Identification Number      appropriate EIN when submitting verifications to reduce the\n(EIN). The Same SSN/Different Name         number of transactions posted to the Failed MEF Check report.\nPotential Fraud Identification report\nidentifies users attempting to verify   3. Develop consistent procedures for contacting employers who\nmore than 50 combinations of the same      appear on the fraud detection reports to ensure the appropriate\nSSN and different name for a single        use of SSNVS.\nEIN.\n                                        SSA agreed with all our recommendations.\n\x0cTABLE OF CONTENTS\nObjective ..........................................................................................................................................1\nBackground ......................................................................................................................................1\nResults of Review ............................................................................................................................3\n     SSNVS Failed MEF Check Report ............................................................................................3\n           Non-SSNVS Transactions Posted to the Failed MEF Check Report ..................................5\n           Duplicate Transactions Posted to the Failed MEF Check Report........................................6\n     Fraud Identification Reports ......................................................................................................7\nConclusions and Recommendations ................................................................................................9\nAgency Comments ...........................................................................................................................9\nAppendix A \xe2\x80\x93 Social Security Number Verification Service ..................................................... A-1\nAppendix B \xe2\x80\x93 Scope and Methodology ..................................................................................... B-1\nAppendix C \xe2\x80\x93 Agency Comments .............................................................................................. C-1\nAppendix D \xe2\x80\x93 Major Contributors.............................................................................................. D-1\n\n\n\n\nAccess Controls for the Social Security Number Verification Service (A-03-12-11204)\n\x0cABBREVIATIONS\nBSO                  Business Services Online\n\nCBSV                 Consent Based Social Security Number Verification\n\nCY                   Calendar Year\n\nEIN                  Employer Identification Number\n\nFY                   Fiscal Year\n\nIRS                  Internal Revenue Service\n\nMEF                  Master Earnings File\n\nSSA                  Social Security Administration\n\nSSN                  Social Security Number\n\nSSNVS                Social Security Number Verification Service\n\nForm\nW-2                  Wage and Tax Statements\n\n\n\n\nAccess Controls for the Social Security Number Verification Service (A-03-12-11204)\n\x0cOBJECTIVE\nOur objective was to determine the effectiveness of the Social Security Administration\xe2\x80\x99s (SSA)\ncontrols to detect whether companies were improperly using SSA's employer verification\nprograms for non-employment purposes.\n\nBACKGROUND\nIn 2005, SSA implemented the Social Security Number Verification Service (SSNVS) to assist\nemployers with accurate wage reporting and increase the ease and convenience of verifying\nemployee names and Social Security numbers (SSN). SSNVS is a free verification program that\nallows registered companies (employers and submitters) to verify employees\xe2\x80\x99 names and SSNs\nagainst SSA\xe2\x80\x99s records before submitting Wage and Tax Statements (Form W-2) to SSA. 1\n\nAs shown in Figure 1, the volume and use of SSNVS increased from Calendar Years (CY) 2008\nto 2010. In CY 2008, SSA processed about 99 million transactions, and, in CY 2010, it\nprocessed about 106 million transactions, an increase of about 7 million transactions over the\n3-year period. In addition, the number of companies that registered and used the service\ndecreased in 2009 but increased in 2010. The net increase was 66 companies, 40,137 in\nCY 2008 to 40,203 in CY 2010.\n\n                     Figure 1: SSNVS Transactions for CYs 2008 Through 2010\n                           Total Transactions\n\n\n\n\nNotes:\n    (a) Total transactions are in the millions.\n    (b) Total registered companies that used SSNVS.\n\n\n\n\n1\n    See Appendix A for more information about SSNVS.\n\n\n\n\nAccess Controls for the Social Security Number Verification Service (A-03-12-11204)              1\n\x0cRegistered companies can use SSNVS to verify current or former employees for wage reporting\npurposes. 2 It is appropriate to use SSNVS only when an official employer/employee relationship\nhas been established. SSA defines an employer/employee relationship when one of the\nfollowing has occurred. 3\n\n       \xe2\x80\xa2   The employer has offered, and the person being hired has accepted, employment (even\n           though he/she has not started working).\n\n       \xe2\x80\xa2   The future employee has completed the paperwork to establish a payroll record.\n\nRegistered companies cannot use SSNVS to verify potential new hires, contractors, or\nindividuals related to other business functions. Companies that need to verify SSNs for\nnon-employment purposes (such as identity, credit, or mortgages) can use SSA\xe2\x80\x99s Consent Based\nSocial Security Number Verification (CBSV) program. To use CBSV, companies must obtain\nvalid consent 4 from the individual before verifying their SSN and pay SSA in advance a\n$1.05 fee per transaction. 5 Because both verification programs are available to the public, there\nis a risk that companies may try to avoid CBSV\xe2\x80\x99s consent and cost requirements by using\nSSNVS for non-employment purposes.\n\nIn 2005, SSA developed several fraud detection reports to help detect whether registered users\nwere improperly using SSNVS.\n\xe2\x80\xa2      SSNVS Failed Master Earnings File (MEF) Check Report. Compares a valid name/SSN\n       combination submitted for verification against SSA\xe2\x80\x99s MEF to determine whether the\n       individual worked for the same company that submitted the verification. The MEF contains\n       all earnings data reported by employers and self-employed individuals. This check helps\n       ensure there is an employer/employee relationship. If the data do not match, the verification\n       data are copied to the report for SSA staff to review.\n\xe2\x80\xa2      Same Name/Different SSN Potential Fraud Identification Report. The weekly report\n       identifies users attempting to verify more than 50 combinations of the same name and\n       different SSN for a single Employer Identification Number (EIN). SSA compiles the data on\n       a rolling 6-month basis to determine whether companies are phishing for a valid name/SSN\n       combination. The report identifies up to 500 names.\n\n\n\n2\n When registering for SSNVS, users attest they are verifying SSNs solely to ensure the records of current or former\nemployees are correct for completing Internal Revenue Service (IRS) Form W-2.\n3\n SSA, Business Services Online Social Security Number Verification Service (SSNVS) Handbook,\nSeptember 2011.\n4\n    Obtaining consent is required by the Privacy Act of 1974, as amended. See 5 U.S.C. \xc2\xa7 552a (b).\n5\n In Fiscal Year (FY) 2009, SSA implemented the CBSV program to assist companies with consent-based SSN\nverification for non-program-related reasons. At that time, the cost per transaction was $5.00, but in FY 2012, the\ncost was reduced to $1.05.\n\n\n\n\nAccess Controls for the Social Security Number Verification Service (A-03-12-11204)                                   2\n\x0c\xe2\x80\xa2   Same SSN/Different Name Potential Fraud Identification Report. The weekly report\n    identifies users attempting to verify more than 50 combinations of the same SSN and\n    different name for a single EIN. SSA compiles the data on a rolling 6-month basis to\n    determine whether companies are phishing for a valid name/SSN combination. The report\n    identifies up to 500 SSNs.\n\nRESULTS OF REVIEW\nThe controls to detect whether companies were improperly using SSNVS for non-employment\npurposes need to be improved. The Failed MEF Check reports for CYs 2009 and 2010, which\nincluded about 26 million transactions, were unreliable. The reports contained numerous false\npositive (meaning an employer/employee relationship existed), non-SSNVS, and duplicate\ntransactions, which made it difficult for SSA staff to identify instances where employers may\nhave been verifying individuals who were not employees. Specifically, 129 (65 percent) of the\n200 sample transactions we reviewed were posted to the reports even though there was a verified\nemployer/employee relationship between registered companies and individuals. The postings\noccurred because either registered companies did not use the same EINs for verification and\nwage reporting or SSA generated the reports before the wages were posted to the MEF. In\naddition, we found that 1.6 million of the 26 million transactions posted to the Failed MEF\nCheck reports did not relate to SSNVS. We determined that 1.2 million (79 percent) of these\ntransactions related to CBSV and were erroneously posted to the Failed MEF Check reports\nbecause of a programming error. Lastly, we found that 4.2 million transactions were duplicates\nthat should have been removed before the reports were generated.\n\nFurther, we found that both the Same Name/Different SSN and Same SSN/Different Name\nPotential Fraud Identification reports effectively identified instances where registered companies\nmay have been searching for valid name/SSN combinations. Our review of the reports generated\nin FY 2010 found seven employers may have inappropriately used SSNVS to search for valid\nname/SSN combinations for non-employees. Although SSA staff agreed that four of the seven\nemployers may have used SSNVS for non-employment purposes, they were not consistent in\ncontacting these employers to inform them about the appropriate use of SSNVS.\n\nSSNVS Failed MEF Check Report\nAs shown in Table 1, the Failed MEF Check reports for the 2-year period contained\napproximately 26 million records. The 2009 SSNVS Failed MEF Check report contained about\n2.7 million records related to 4,149 registered companies, and the 2010 report included\napproximately 23.4 million records related to 34,564 registered companies. This was a\n20.7-million record increase over 1 year. When compared to the total number of records\nsubmitted to SSNVS for both years, the 2009 Failed MEF Check data represented 3 percent of\nthe transactions and 11 percent of the companies, and the 2010 Failed MEF Check data\nrepresented 22 percent of the transactions and 86 percent of the companies. We discussed with\nAgency staff why there was such a significant increase in the number of transactions posted to\nthe Failed MEF Check reports from 2009 to 2010; however, they could not provide an\nexplanation for the significant increase.\n\n\n\nAccess Controls for the Social Security Number Verification Service (A-03-12-11204)              3\n\x0c                     Table 1: Failed MEF Check Report for CYs 2009 to 2010\n                               Total                           MEF Check                       Percent of\n        Total SSNVS                         MEF Check                            Percent of\nCY                           Registered                        Registered                      Registered\n        Transactions(a)                    Transactions(a)                      Transactions\n                             Companies                         Companies                       Companies\n2009         101.6              39,250            2.7              4,149              3           11\n\n2010         106.2              40,203           23.4             34,564              22          86\n\nTotal        207.8                               26.1\nNote:   (a) Records are in millions.\n\nTo understand why the Failed MEF Check reports included such a significant number of\ntransactions, we reviewed a sample of 200 transactions related to 81 employers for the 2-year\nperiod. We found the reports had limited value for SSA staff to detect SSNVS misuse because\n129 (65 percent) of the 200 transactions were false positive transactions:\n\n\xe2\x80\xa2    98 transactions (49 percent) related to employers using more than 1 of their EINs for\n     verification and wage reporting. While a verified employee/employer relationship existed\n     between employers and individuals, the employers did not use the same EIN for verification\n     and wage reporting, causing SSA to post the transactions to the Failed MEF Check reports.\n     SSA\xe2\x80\x99s policy requires that the submitter provide the EIN of the employer who reports the\n     wages for verification. 6 SSA should take steps to remind employers about this requirement\n     to help keep these types of transactions from being erroneously posted to the report.\n\n\xe2\x80\xa2    27 transactions (14 percent) related to submitters using their own EINs for verification even\n     though SSA\xe2\x80\x99s policy requires that the submitter provide the EIN of the employer who reports\n     the wages for verification. We found submitters (that is, companies that conducted\n     background checks, processed payroll, and provided staffing service) used their EINs to\n     verify individuals, but employers who actually hired the individuals reported the wages. As a\n     result, the EINs did not match, causing SSA to post false positive transactions to the Failed\n     MEF Check reports.\n\n\xe2\x80\xa2    10 transactions (5 percent) were submitted to CBSV for verification instead of SSNVS.\n     Because companies use CBSV for non-employment purposes, there would not be an\n     employer/employee relationship between the companies and the individuals verified. These\n     records should not have been included on Failed MEF Check reports. We discuss this issue\n     in more detail later in the report.\n\n\xe2\x80\xa2    4 transactions (2 percent) were erroneously posted to the Failed MEF Check report because\n     of timing issues. Although there was an employee/employer relationship for the four\n     individuals, SSA posted the transactions to the Failed MEF Check report because the report\n\n\n6\n SSA, Business Services Online Social Security Number Verification Service (SSNVS) Handbook,\nSeptember 2011.\n\n\n\n\nAccess Controls for the Social Security Number Verification Service (A-03-12-11204)                    4\n\x0c    was generated before the wages were posted to the MEF. The 2009 SSNVS Failed MEF\n    Check report was generated in early April 2010, but the wages were not posted to the MEF\n    until the end of April 2010. Had SSA generated the report later in the year when it received a\n    majority of the wage information from employers, these records would not have been\n    included on the report.\n\nThe remaining 61 transactions (30 percent) could have related to the improper use of SSNVS\nbecause we were not able to confirm whether there was an employer/employee relationship.\nHowever, these transactions may also relate to the integrity issues discussed below.\n\nNon-SSNVS Transactions Posted to the Failed MEF Check Report\nWe found several integrity issues with the Failed MEF Check reports that made them unreliable\nand not useful for SSA staff to detect whether companies were misusing SSNVS. For example,\nthe 2009 and 2010 Failed MEF Check reports contained about 1.6 million transactions that did\nnot relate to SSNVS (see Table 2). Specifically, in 2009, there were about 180,000 (7 percent)\nmore transactions on the Failed MEF Check report than submitted through SSNVS for\n11 companies, and in 2010, the report contained an additional 1.4 million (6 percent) transactions\nrelated to 11,429 companies.\n\nOf the 1.6 million transactions, we determined that 1.2 million (79 percent) transactions related\nto CBSV rather than SSNVS. 7 In 2009, 6 companies submitted about 172,000 CBSV\nverifications and in 2010, 51 companies submitted about 1.1 million verifications. Because\nCBSV is a verification program for non-employment purposes, the transactions met the Failed\nMEF Check report criteria and were erroneously posted to the reports. A programming error\ncaused the CBSV transactions to be posted to the Failed MEF Check report. Since both SSNVS\nand CBSV are services offered under Business Services Online (BSO), a suite of Internet\nservices for businesses and employers to exchange information with SSA over the Internet, 8 SSA\nstaff did not select the SSNVS role identifier when generating the Failed MEF Check reports.\nSelecting only the SSNVS role identifier would have eliminated CBSV transactions from\ninclusion in Failed MEF Check reports.\n\nWe were not able to determine why the remaining 335,000 transactions (21 percent) were posted\nto the Failed MEF Check reports. It is possible these transactions related to other services\noffered under BSO.\n\n\n\n\n7\n These records represent an exact match on the following data fields: EIN, user personal identification number,\nSSN, and first and last name.\n8\n BSO allows employers to report Forms W-2 to the Agency electronically. However, BSO also offers other\nservices, such as SSNVS; CBSV; and representative, attorney and non-attorney business activities.\n\n\n\n\nAccess Controls for the Social Security Number Verification Service (A-03-12-11204)                               5\n\x0c                    Table 2: Non-SSNVS Transactions for CYs 2009 and 2010\n                          Total              CBSV                    Unknown\n         CY           Non-SSNVS\n                      Transactions   Transactions Percent Transactions Percent\n        2009               180,000               172,000             96             8,000              4\n        2010              1,400,000             1,073,000            77            327,000            23\n\n        Total             1,580,000             1,245,000            79            335,000            21\n\nDuplicate Transactions Posted to the Failed MEF Check Report\nSSA\xe2\x80\x99s policy9 for producing the Failed MEF Check report requires that staff remove duplicate\ntransactions before generating the report. A duplicate transaction involves an exact match on\ncertain data fields, such as the EIN, user identification number, 10 SSN, and name. However, we\nfound both reports included approximately 4.2 million duplicate transactions (see Table 3). The\n2009 report contained about 461,000 (17 percent) duplicate transactions related to\n510 employers, and the 2010 report contained about 3.7 million duplicate transactions\n(16 percent) related to 3,172 employers. SSA should have removed the duplicate transactions\nfrom the reports to avoid wasting valuable staff resources researching and analyzing these\ntransactions.\n\n                    Table 3: Duplicate Transactions for CYs 2009 and 2010\n                                MEF Check                                                         Percent\n                   MEF Check                     Duplicate     Duplicate\n      CY                         Registered                                                         of\n                   Transactions                Transactions Companies\n                                 Companies                                                      Transactions\n      2009            2,700,000            4,149             461,000              510                 17\n      2010           23,400,000            34,564           3,700,000            3,172                16\n\n     Total           26,100,000                             4,161,000                                 16\n\nSince the Failed MEF Check report was implemented in 2005, SSA has not used it to remove or\nblock companies\xe2\x80\x99 access to SSNVS because the reports have not been a useful tool to identify\npotential misuse. Because SSNVS is used to ensure accurate wage reporting and SSA processes\nover 100 million transactions annually, the Agency needs to determine whether to modify the\nexisting Failed MEF Check report to help ensure registered companies are using SSNVS as\nintended or develop a more useful fraud detection tool.\n\n\n9\n SSA, Social Security Number Verification Service (SSNVS) Detailed System Specifications (DSS) Chapter 7-\nReports, April 2009, page 38.\n10\n  The user identification number is a unique number assigned to users when they register for BSO services such as\nSSNVS and CBSV.\n\n\n\n\nAccess Controls for the Social Security Number Verification Service (A-03-12-11204)                                 6\n\x0cFraud Identification Reports\nBoth the Same Name/Different SSN and Same SSN/Different Name Potential Fraud\nIdentification reports effectively identified instances where registered companies may have been\nphishing 11 for valid name/SSN combinations. Based on our review of the reports generated in\nFY 2010, we found that seven employers identified on the reports may have used SSNVS\ninappropriately to search for valid name/SSN combinations (see Table 4).\n\n              Table 4: Analysis of FY 2010 Potential Fraud Identification Reports\n                                  Report               Same Names          Different SSNs          Employers\n        Same                Potential Phishing                42                  8,258                 4(a)\n     Name/Different\n      SSN Report            Submission Errors                 36                 32,374                  6\n                                   Total:                     78                 40,632                  10\n                                  Report                Same SSNs         Different Names          Employers\n        Same                Potential Phishing                34                  2,085                 4(a)\n     SSN/Different\n     Name Report            Submission Errors                 5                    527                   3\n                                   Total:                     39                  2,612                  7\n\nNote:    (a) One employer appeared on both fraud reports. Thus, seven employers were potentially searching for\n         valid name/SSN combinations.\n\nSame Name/Different SSN Potential Fraud Identification Reports: The Same Name/Different\nSSN Potential Fraud Identification reports showed that four employers could have used SSNVS\ninappropriately to search for valid name/SSN combinations. The employers submitted 42 names\nassociated with 8,258 different SSNs, ranging from 51 to 1,542 different SSNs. The transactions\nappeared suspicious because the employers verified names with similar SSNs that varied by one\nor two digits. For example, an employer in the food and beverage industry verified a name with\n55 different SSNs where only 1 digit was different, indicating the employer may have been\nsearching for a valid name/SSN combination.\n\nFurthermore, we found that an employer who was a State prison agency submitted a majority of\nthe transactions that appeared on the fraud reports. The employer submitted 28 (67 percent) of\nthe 42 names associated with 7,125 SSNs. It appeared this employer was phishing for a valid\nname/SSN combination because the employer submitted similar names for verification. In\naddition, we were not able to find any evidence that the employer had reported any wages for\nmost of the individuals, leading us to believe the verifications were not related to wage reporting.\n\n\n11\n  Phishing is the act of attempting to acquire personal information (such as a valid name and SSN combination) that\nwill be used for an illegal purpose.\n\n\n\n\nAccess Controls for the Social Security Number Verification Service (A-03-12-11204)                               7\n\x0cThe remaining six employers appeared on the fraud report because of submission errors. While\nthe reports showed the employers submitted 35 names associated with 32,374 different SSNS,\nthe reported names described company names or known missing/bad data. For instance, an\nemployer included \xe2\x80\x9cNOT NOT and SSN BAD\xe2\x80\x9d in the name field.\n\nSame SSN/Different Name Potential Fraud Identification Reports: The Same SSN/Different\nName Potential Fraud Identification reports showed that four employers could have used SSNVS\ninappropriately to search for valid name/SSN combinations. The employers submitted 34 SSNs\nassociated with 2,085 different names, ranging from 51 to 74 different names. The State prison\nagency submitted 30 (88 percent) of the 34 SSNs associated with 1,840 names. The transactions\nappeared suspicious because the SSNs were reported with names that appeared to be legitimate.\nFurther, we found the 34 SSNs were valid but did not belong to any of the individuals for whom\nthey had been submitted for verification. Moreover, none of the employers reported any wages\nto SSA using any of the name/SSN combinations indicating the verifications were not related to\nwage reporting.\n\nThe remaining 3 employers who reported 5 SSNs associated with 527 names appeared on the\nfraud reports because of submission errors. They submitted data in the name field, such as\nnames of companies or bad data, that did not appear to be legitimate. For example, one\nemployer reported a valid SSN with names such as \xe2\x80\x9cMistake Mistake and Account Suspense.\xe2\x80\x9d\n\nSSA staff agreed that four of the seven employers who appeared on both fraud reports had\ninappropriately used SSNVS. At the time of our review, SSA staff had only contacted one of the\nemployers about their inappropriate activity and requested that they stop. The Agency did not\ncontact the other three employers because their activity did not appear to be recurring. While the\ninappropriate use may not have been repetitive, SSA staff needs to ensure employers have a clear\nunderstanding of the various verification programs the Agency offered. Companies that need to\nverify SSNs for non-employment purposes (such as identity, credit, or mortgages) should be\nusing CBSV, which requires that companies obtain a valid consent from the individual before\nverifying their SSN and paying a fee of $1.05 per transaction. Furthermore, since the\nverifications were inappropriate and the employers may not have obtained proper consent, 12\nthese transactions could represent an improper disclosure.\n\nFor the remaining three employers, SSA concluded that their activity was associated with\nsubmission errors. SSA staff did not contact two of the employers because they based their\nconclusions on the fact that the employers used a fictitious SSN or entered only the first initial\nwhen submitting names. SSA staff contacted the State prison agency and was informed that a\nlogic error had occurred when the State prison agency uploaded its files, causing names to be\nrepeated with different SSNs. However, of the 28 names that appeared on the Same\nName/Different SSN Potential Fraud Identification reports, we found 26 were reported with\nvalid name/SSN combinations, meaning the reported names and SSNs matched SSA\xe2\x80\x99s records.\n\n\n12\n  SSA, Program Operations Manual System, GN 03305.001 Disclosure With Consent \xe2\x80\x93 General,\n(September 12, 2005).\n\n\n\n\nAccess Controls for the Social Security Number Verification Service (A-03-12-11204)                  8\n\x0cThe number of valid name/SSN combinations for the 26 names ranged from 7 to 53, totaling\n805. Based on our review of SSA\xe2\x80\x99s earnings records, the State prison did not report any wages\nfor 802 of the 805 individuals indicating the verifications were not related to wage reporting.\nHowever, SSA\xe2\x80\x99s records showed that 132 of these individuals had a prison record.\n\nCONCLUSIONS AND RECOMMENDATIONS\nSSA processes over 100 million SSNVS transactions annually, so the Agency needs to ensure it\nhas proper controls in place to detect whether registered companies are using SSNVS to ensure\naccurate wage reporting. Our review found that SSA\xe2\x80\x99s Failed MEF Check reports were not\nserving the purpose for which they were intended, which was to detect whether employers were\nimproperly using SSNVS for non-employment purposes. The 2009 and 2010 Failed MEF Check\nreports, which included about 26 million verification transactions, were unreliable because they\nincluded numerous false positive, non-SSNVS, and duplicate transactions, which made it\ndifficult for SSA staff to identity instances where employers may have been verifying individuals\nwho were not employees.\n\nFurther, while both the Same Name/Different SSN and Same SSN/Different Name Potential\nIdentification Fraud reports effectively identified instances where registered companies may\nhave been phishing for valid name/SSN combinations, the monitoring controls over the reports\ncould be improved. We reviewed the reports generated in FY 2010 and identified seven\nemployers who may have used SSNVS inappropriately to search for valid name/SSN\ncombinations for non-employees. However, SSA did not consistently contact the employers who\nappeared on the fraud reports to confirm whether their activity was inappropriate and to inform\nthem of the proper use of SSNVS.\n\nAccordingly, we recommend that SSA:\n\n1. Determine whether to modify the existing Failed MEF Check report to ensure it is a reliable\n   tool to detect whether registered companies are improperly using SSNVS for\n   non-employment purposes or develop a more useful fraud detection tool.\n\n2. Conduct outreach with registered companies regarding using the appropriate EIN when\n   submitting verifications to reduce the number of transactions posted to the Failed MEF\n   Check report.\n\n3. Develop consistent procedures for contacting employers who appear on the fraud detection\n   reports to ensure the appropriate use of SSNVS.\n\nAGENCY COMMENTS\nSSA agreed with our recommendations. The Agency\xe2\x80\x99s comments are included in Appendix C.\n\n\n\n\nAccess Controls for the Social Security Number Verification Service (A-03-12-11204)               9\n\x0c                                        APPENDICES\n\n\n\n\nAccess Controls for the Social Security Number Verification Service (A-03-12-11204)\n\x0cAppendix A \xe2\x80\x93 SOCIAL SECURITY NUMBER VERIFICATION\n             SERVICE\nTo increase the ease and convenience of verifying employee names and Social Security numbers\n(SSN), the Agency developed the Social Security Number Verification Service (SSNVS).\nSSNVS is a free online program, with a batch option, that allows employers and submitters (that\nis, companies that conduct background checks, process payroll, and provide staffing service) to\nverify employees\xe2\x80\x99 names and SSNs. SSNVS ensures employees\xe2\x80\x99 names and SSNs match the\nSocial Security Administration\xe2\x80\x99s (SSA) records before their wage reports are submitted to SSA.\nAs of Calendar Year (CY) 2010, SSNVS had processed approximately 106.2 million transactions\nfor about 40,000 employers. As illustrated in Figure 1, SSNVS\xe2\x80\x99 use increased by about 7 million\ntransactions (7-percent increase).\n\n                                            Figure 1: SSNVS Transactions for CYs 2008 Through 2010\n           Total Transactions in Millions\n\n\n\n\nTo access SSNVS, employers and third parties must first register online at SSA\xe2\x80\x99s Business\nServices Online (BSO) Website. After registration, SSA mails an activation code, 1 which is\nneeded to gain access to SSNVS, to the address the Internal Revenue Service has on file. 2 Once\nthe registered companies activate SSNVS using their user identification number 3 and the\nactivation code, they can start submitting verifications. Registered companies can:\n\n\xe2\x80\xa2   Submit up to 10 employee names and SSNs (per screen) via the online SSNVS and receive\n    immediate results.\n\n\n1\n The activation code is an alphanumeric code sent by SSA to the employer or registered user when access to certain\nprograms is requested. This code must be entered on the Activate Access to BSO Service web page to enable the\nuser to access the requested service.\n2\n  The address is obtained from the Employer\xe2\x80\x99s Federal Tax Return (Form 941) or Application for Employer\nIdentification Number (SS-4)\n3\n The user identification number is a unique number assigned to users when they register for BSO services such as\nSSNVS.\n\n\n\n\nAccess Controls for the Social Security Number Verification Service (A-03-12-11204)                           A-1\n\x0c\xe2\x80\xa2   Upload files containing up to 250,000 employee names and SSNs and usually receive\n    verification results the next Government business day. This bulk procedure allows\n    employers to verify an entire payroll database or verify at one time the names and SSNs of a\n    large number of newly hired workers.\n\nSSA returns a verification code to the employer for each employee whose information does not\nmatch SSA\xe2\x80\x99s record. In addition to the verification code, SSA provides a death indicator if the\nemployee\xe2\x80\x99s Numident record includes a date of death. Table A-1 describes the SSNVS\nverification codes.\n\n                 Table A-1: SSNVS Verification Codes Provided to Companies\n           SSNVS Code                               Description of Code\n             \xe2\x80\x9cBlank\xe2\x80\x9d        Name and SSN match SSA's records.\n                1           SSN not in file (never issued to anyone)\n                2           Name and date of birth match; gender code does not match\n                3           Name and gender code match; date of birth does not match\n                4           Name matches; date of birth and gender code do not match\n                5           Name does not match; date of birth and gender code not checked\n                6           SSN Not Verified; Other Reason\n                Y           Death indicator\n\n\n\n\nAccess Controls for the Social Security Number Verification Service (A-03-12-11204)           A-2\n\x0cAppendix B \xe2\x80\x93 SCOPE AND METHODOLOGY\nTo accomplish our objective, we:\n\n\xe2\x80\xa2   Reviewed applicable Federal laws and Social Security Administration (SSA) policies and\n    procedures.\n\n\xe2\x80\xa2   Reviewed prior audit reports from the Office of the Inspector General concerning the Social\n    Security Number Verification Service (SSNVS).\n\n\xe2\x80\xa2   Obtained Calendar Year (CY) 2009 and 2010 Failed Master Earnings File (MEF) Check\n    transaction data.\n\n            o For CY 2009, the report contained 2.7 million records related to 4,149 employers.\n\n            o For CY 2010, the report contained 23.4 million records related to\n              34,564 employers.\n\n\xe2\x80\xa2   Selected a random sample of 100 transactions (200 in total) from the 2009 and 2010 Failed\n    MEF Check reports to determine whether the transactions posted properly to the reports.\n\n\xe2\x80\xa2   Obtained CY 2009 and 2010 Consent Based Social Security Number Verification (CBSV)\n    transactions data.\n\n\xe2\x80\xa2   Compared transactions from the Failed MEF Check report with CBSV to identify non-\n    SSNVS transactions.\n\n\xe2\x80\xa2   Obtained the weekly Same Name/Different Social Security Number (SSN) Potential Fraud\n    Identification Report and Same SSN/Different Name Potential Fraud Identification Report\n    generated in Fiscal Year 2010.\n\n\xe2\x80\xa2   For the names and SSNs on the potential fraud reports, we reviewed data obtained from the\n    Numident, Master Earnings File, Annual Wage Reporting System, and Prisoner Update\n    Processing System.\n\nWe determined that the SSNVS data used for this audit were sufficiently reliable to meet our\nobjective. The entities audited were the Offices of Earnings, Enumeration and Administrative\nSystems under the Deputy Commissioner for Systems and Electronic Services under the Office\nof the Deputy Commissioner for Operations. Our work was conducted at the Philadelphia Audit\nDivision, Philadelphia, Pennsylvania, from April 2012 through January 2013. We conducted this\nperformance audit in accordance with generally accepted government auditing standards. Those\nstandards require we plan and perform the audit to obtain sufficient, appropriate evidence to\nprovide a reasonable basis for our findings and conclusions based on our audit objectives. We\nbelieve that the evidence obtained provides a reasonable basis for our findings and conclusions\nbased on our audit objective.\n\n\n\nAccess Controls for the Social Security Number Verification Service (A-03-12-11204)          B-1\n\x0c           Appendix C \xe2\x80\x93 AGENCY COMMENTS\n\n\n\n\n                                             SOCIAL SECURITY\n\n MEMORANDUM\n\nDate:      April 2, 2013                                                                   Refer To:   S1J-3\n\nTo:        Patrick P. O\xe2\x80\x99Carroll, Jr.\n           Inspector General\n\nFrom:      Katherine Thornton /s/\n           Deputy Chief of Staff\n\nSubject:   Office of the Inspector General Draft Report, \xe2\x80\x9cAccess Controls for the Social Security Number\n           Verification Service\xe2\x80\x9d (A-03-12-11204)--INFORMATION\n\n           Thank you for the opportunity to review the draft report. Please see our attached comments.\n\n           Please let me know if we can be of further assistance. You may direct staff inquiries to\n           Gary S. Hatcher at (410) 965-0680.\n\n\n\n           Attachment\n\n\n\n\n           Access Controls for the Social Security Number Verification Service (A-03-12-11204)                 C-1\n\x0cCOMMENTS ON THE OFFICE OF THE INSPECTOR GENERAL DRAFT REPORT,\n\xe2\x80\x9cACCESS CONTROLS FOR THE SOCIAL SECURITY NUMBER VERIFICATION\nSERVICE\xe2\x80\x9d (A-03-12-11204)\n\nRecommendation 1\n\nDetermine whether to modify the existing Failed MEF Check report to ensure it is a reliable tool\nto detect whether registered companies are improperly using SSNVS for non-employment\npurposes or develop a more useful fraud detection tool.\n\nResponse\n\nWe agree. We will continue to investigate if there are meaningful tools or improvements we can\nmake to protect the use of the Social Security Number Verification System (SSNVS) for its\nintended purpose.\n\nRecommendation 2\n\nConduct outreach with registered companies regarding using the appropriate EIN when\nsubmitting verifications to reduce the number of transactions posted to the Failed MEF Check\nreport.\n\nResponse\n\nWe agree. When we correspond with the registered users, we will include information on the\nproper use of SSNVS. In addition, we plan to explore enhancements to both the online and file\nupload SSNVS input screens to improve the instructions for users, including inputting the\nappropriate employer identification number.\n\nRecommendation 3\n\nDevelop consistent procedures for contacting employers who appear on the fraud detection\nreports to ensure the appropriate use of SSNVS.\n\nResponse\n\nWe agree. With the low volume of issues appearing on the fraud detection reports, we did not\nsee the need for formal procedures; however, we will develop procedures as recommended.\n\n\n\n\nAccess Controls for the Social Security Number Verification Service (A-03-12-11204)            C-2\n\x0cAppendix D \xe2\x80\x93 MAJOR CONTRIBUTORS\nCylinda McCloud-Keal, Philadelphia Audit Director\n\nVirginia Harada, Audit Manager\n\nWilliam Kearns, IT Specialist\n\nLuis Ramirez, Audit Data Specialist\n\n\n\n\nAccess Controls for the Social Security Number Verification Service (A-03-12-11204)   D-1\n\x0c                                           MISSION\nBy conducting independent and objective audits, evaluations, and investigations, the Office of\nthe Inspector General (OIG) inspires public confidence in the integrity and security of the Social\nSecurity Administration\xe2\x80\x99s (SSA) programs and operations and protects them against fraud,\nwaste, and abuse. We provide timely, useful, and reliable information and advice to\nAdministration officials, Congress, and the public.\n\n\n                                   CONNECT WITH US\nThe OIG Website (http://oig.ssa.gov/) gives you access to a wealth of information about OIG.\nOn our Website, you can report fraud as well as find the following.\n   \xe2\x80\xa2   OIG news                                  In addition, we provide these avenues of\n   \xe2\x80\xa2   audit reports\n                                                 communication through our social media\n                                                 channels.\n   \xe2\x80\xa2   investigative summaries\n   \xe2\x80\xa2   Semiannual Reports to Congress                Watch us on YouTube\n   \xe2\x80\xa2   fraud advisories                              Like us on Facebook\n   \xe2\x80\xa2   press releases\n                                                     Follow us on Twitter\n   \xe2\x80\xa2   congressional testimony\n   \xe2\x80\xa2   an interactive blog, \xe2\x80\x9cBeyond The              Subscribe to our RSS feeds or email updates\n       Numbers\xe2\x80\x9d where we welcome your\n       comments\n\n\n                          OBTAIN COPIES OF AUDIT REPORTS\nTo obtain copies of our reports, visit our Website at http://oig.ssa.gov/audits-and-\ninvestigations/audit-reports/all. For notification of newly released reports, sign up for e-updates\nat http://oig.ssa.gov/e-updates.\n\n\n                          REPORT FRAUD, WASTE, AND ABUSE\nTo report fraud, waste, and abuse, contact the Office of the Inspector General via\n   Website:        http://oig.ssa.gov/report-fraud-waste-or-abuse\n   Mail:           Social Security Fraud Hotline\n                   P.O. Box 17785\n                   Baltimore, Maryland 21235\n   FAX:            410-597-0118\n   Telephone:      1-800-269-0271 from 10:00 a.m. to 4:00 p.m. Eastern Standard Time\n   TTY:            1-866-501-2101 for the deaf or hard of hearing\n\x0c"